[comments-root-zone-consultation-08mar13]

Consultation on Root Zone KSK Rollover from the IAB

To: comments-root-zone-consultation-08mar13@xxxxxxxxx

Subject: Consultation on Root Zone KSK Rollover from the IAB

From: IAB Chair <iab-chair@xxxxxxx>

Date: Thu, 23 May 2013 16:22:26 -0400

The IAB is taking this opportunity to provide general advice about the
rollover of the DNSSEC Root Zone Key Signing Key (KSK).
RFC 6781 provides advice on rollover of KSKs that are used as trust
anchors. The Root Zone KSK is clearly a trust anchor, and the IAB
encourages ICANN to follow this guidance from Section 3.2.2 of
RFC 6781:
It is therefore preferable to roll KSKs that are expected to be used
as trust anchors on a regular basis if and only if those rollovers
can be tracked using standardized (e.g., RFC 5011 [RFC5011])
mechanisms.
To this end, the IAB suggests the rollover of the Root Zone KSK before
the end of the year, with significant prior notice to all involved parties,
including vendors, implementors, TLD operators, and end-users.
In addition, the IAB suggests that RFC 5011 be followed. The new KSK
for the Root Zone should be published as widely as possible using
mechanisms in addition to those specified in RFC 5011 to minimize
surprises. If any problems are discovered in the rollover process,
please contribute to an update of RFC 5011 to correct them.
On behalf of the IAB,
Russ Housley
IAB Chair